Reputation: 3733
Securing WCF web service keeping compatibility with Android and Silverlight
I have been tasked with securing a web service that uses WCF and offers web services for both Silverlight, WP7 and Android devices.
So I believe I should activate SSL and also add a form of authentication/authorization to the web service.
Now I am aware that I can turn on Windows Authentication on my web.config and in IIS that will automagically use the log in for the PC for the authentication. But I don't know if this is the right solution to use when I am using devices outside of the intranet and specifically Android devices. I don't want to set up to use this method of Authentication for the Android developers on our team to not be able to progress. So is this easy enough to do in Android?
When I do add the security, I found it was easy to add to a basicHttpBinding with <transport clientCredentialType="Windows" but that this doesn't work within a customBinding. Is there something different with those?
Upvotes: 1
Views: 279
Answers (1)
Reputation: 8944
I am doing something extremely similar with my applications. For the android side, we send the device a MobileUserId - in our case, a Guid, which uniquely identifies the user. This is saved only for the session. From there, each call to the service also requires this Guid to be valid.
For the security, your web.config should have these:
<service name="Service.System" behaviorConfiguration="ServiceBehaviour">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="TransportSecurity" contract="Service.ISystem" behaviorConfiguration="web"></endpoint>
</service>
<bindings>
<webHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
Even if you choose not to use something like a Guid, or UUID in java, you will still need some way to pass a username / password combination from the android device - it will not work with windows authentication.
You should also probably look into REST or SOAP. I have found REST to be much easier to use, so I have preference towards it.
Upvotes: 2
Related Questions
- Authentication for Android app connecting to a WCF service (on-prem environment)
- User Authentication
- WCF Services with Windows Authentication and Varied Clients
- Secure WCF Webservice with high compatibility
- How to secure WCF service which an Android app will use?
- Authenticate Android client on WCF Webapi site?
- WCF REST Security Options for clients not all using .NET
- Cross platform WCF service
- Securing a Web Service for use in Mobile Devices
- Security in windows mobile app and wcf service